e 



(19) 



J) 



(12) 



(43) Date of publication: 

1 9.06.1 996 Bulletin 1 996/25 



Europaisches Pa tent a mt 
European Patent Office 
Office europeen des brevets (11) EP 0 717 339 A2 

EUROPEAN PATENT APPLICATION 

(51) Int.CL 6 : G06F 1/00 



(21) Application number: 95308995.0 

(22) Dateof filing: 11.12.1995 



(84) Designated Contracting States: 


(72) Inventor: Sadovsky, Vladimir 


DE FR GB 


Kirkland, Washington 98033 (US) 


(30) Priority: 13.12.1994 US 355401 


(74) Representative: Meddle, Alan Leonard 




FORRESTER & BOEHMERT 


(71 ) Applicant: MICROSOFT CORPORATION 


Franz-Joseph-Strasse 38 


Redmond, Washington 98052-6399 (US) 


80801 Munchen (DE) 



(54) Access to independent network resources 

(57) A method and system for providing access to 
independent network resources. At system logon, logon 
data is stored in memory of a client computer. When a 
server is accessed, server authentication data is stored 



in a cache. System logon data and authorization data 
can be applied to access an independent server 
resource without requiring user interaction. 
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Description 

FIELD OF THE INVENTION 

The invention relates to computer networks, and 
more specifically to access to independent resources on 
a computer network. 

BACKGROUND OF THE INVENTION 

Computers are often interconnected in a network to 
enable a number of computers to communicate and 
share resources. Networks can range in size from a 
small local area network, consisting of a few computers, 
printers, and other devices, to a much larger network 
consisting of many small and large computers distributed 
over a vast geographic area. A local area network or LAN 
commonly includes a number of personal computers and 
shared resources such as laser printers and large hard 
disks. Allowing the computers and other devices in the 
network to communicate, a communication link such as 
coaxial or fiber optic cable ties network devices together. 

The client -server model is a widely used network 
architecture for local area networks Both the client and 
server are intelligent, programmable computer systems: 
the client is typically a stand-alone personal computer 
for running user -oriented application programs, and the 
server is another personal computer or more powerful 
computer system providing data management, informa- 
tion sharing among clients, and network administration 
and security features. The server is in charge of manag- 
ing access to shared resources such as a printer, a col- 
lection of files in a disk directory, or a communications 
device such as a tax or a modem. 

In many client-server networks installed today, the 
network includes a number of completely independent 
server resources. "Independent" in this context means 
that the network resource has an independent, as 
opposed to shared, authentication database. In such a 
network, users have to enter authentication information 
such as a user identification (user ID) and password to 
access an independent network resource. This form of 
security is essential in computer networks to prevent 
unwanted access to a computer network. However, in 
networks including a number of independent servers, the 
process of accessing a given resource can be time con- 
suming and disruptive to the user. 

In the past, easy access to server resources was not 
a significant concern. User's usually only needed access 
to one or two servers every time they logged on to a net- 
work. Access to the server or servers, in this case, could 
easily be handled during the logon procedure conducted 
when a user started up his or her computer and con- 
nected to the network. 

As networks and network technology have grown, it 
is not unusual for a user to access many different inde- 
pendent servers. To complicate matters, the user is less 
likely to always need access to the same servers, so it 
is not possible to predict which server resources a user 



will need access to. A current trend in computer networks 
is "peer-to-peer" capability where each computer in a 
network may act as a server. Since peer-to-peer net- 
works significantly increase the number of servers a user 
5 can potentially access, easy access to each "server is 
essential. 

Another important feature for networks is a network 
browsing feature which enables a user to selectively 
browse a network or series of networks to look for 

io resources. This feature also requires access to be simple 
and transparent to the user. The alternative is to require 
the user to repeatedly enter user authentication informa- 
tion for each server just to browse for server resources. 
One solution to the problem of accessing servers is 

75 to enhance the network server or network operating sys- 
tem software to allow for a centralized logon. To support 
a centralized logon, the network includes a server for 
handling logon for all users. Once a user has logged in 
through the central logon procedure, the user obtains a 

20 special key to access additional server resources. 
Access is "transparent" to the user and is handled 
entirely behind the scenes. 

Unfortunately, the centralized logon solution 
requires an expensive upgrade in the server software. 

25 and therefore is not a viable solution for many existing 
network users. For the great number of those who will 
continue to use their existing server software, there must 
be a less costly, yet equally effective alternative. 

30 SUMMARY OF THE INVENTION 

To address these drawbacks associated with inde- 
pendent server resources, the invention provides a 
method and system for providing access to independent 

35 network resources. In one embodiment, the system and 
method for accessing independent network resources 
are implemented in a network subsystem loaded into a 
client computer system. The networking subsystem 
includes a multiple provider router supporting common 

40 networking functions and presenting a networking inter- 
face to application programs. The multiple provider 
router communicates with a network provider responsi- 
ble for accessing a particular network type. When an 
application such as an operating shell program makes a 

45 request to access network resources, the multiple pro- 
vider router routes the request to the appropriate net- 
work provider. 

The networking subsystem minimizes user interac- 
tion required to access a network resource. In this 

so embodiment, the networking subsystem includes a 
cache for storing authentication data, and it also main- 
tains logon data from system logon. To access an inde- 
pendent server, for example, a network provider applies 
logon data stored in the local computer where it resides. 

55 If this does not succeed, the network provider searches 
the cache for authentication data. H the authentication 
data for the server to be accessed is in the cache, then 
this data is applied to access the server. Only if both of 
these attempts fail is the user prompted to enter authen- 
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tication information. Using this method, access to inde- 
pendent resources usually occurs without requiring user 
intervention. 

The invention is useful in networks that treat servers 
as independent resources. In such systems, it is difficult 5 
to support a browsing feature because of the problem of 
authenticating access to the independent servers. The 
problem is even worse in systems where many comput- 
ers can act as a server because the number of accessi- 
bl e servers i ncr eases. The invention solves this probl em 1 o 
by performing authentication automatically and with min- 
imal user interaction. 

Further advantages and features of the invention will 
become apparent to those skilled in the art from the fol- 
lowing description and accompanying drawings. 75 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram of a computer system where 
a networking subsystem according to an embodiment of 20 
the invention may be implemented. 

Fig. 2 is a block diagram of the architecture of a net- 
working subsystem according to an embodiment of the 
invention. 

Fig. 3 is a flow diagram illustrating the steps of 25 
accessing an independent network resource according 
to an embodiment of the invention. 

Fig. 4 illustrates the structure of the password cache 
according to an embodiment of the invention. 

30 

DETAILED DESCRIPTION 

Figure 1 is a block diagram of a computer system 20 
which is used to implement a method and system 
embodying the invention. In a computer network adher- 35 
ing to the client-server model, both the client and server 
systems can have the same basic architecture as com- 
puter system 20. Computer system 20 includes as its 
basic elements a computer 22, input device 24 and out- 
put device 26. 40 

Computer 22 generally includes a central process- 
ing unit (CPU) 28 and a memory system 30 that commu- 
nicate through a bus structure 32. CPU 28 includes an 
arithmetic logic unit (ALU) 33 for performing computa- 
tions, registers 34 for temporary storage of data and 45 
instructions and a control unit 36 for controlling the oper- 
ation of computer system 20 in response to instructions 
from a computer program such as an application or an 
operating system. 

Memory system 30 generally includes high-speed so 
main memory 38 in the form of a medium such as ran- 
dom access memory (RAM) and read only memory 
(ROM) semiconductor devices and secondary storage 
40 in the form of a medium such as floppy disks, hard 
disks, tape. CD-ROM. etc. and other devices that use 55 
optical, magnetic or other recording material. Main mem- 
ory 38 stores programs such as a computer s operating 
system and currently running application programs. 
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Main memory 38 also includes video display memory for 
displaying images through a display device. 

Input device 24 and output device 26 are typically 
peripheral devices connected by bus structure 32 to 
computer 22. Input device 24 may be a keyboard, 
modem, pointing device, pen, or other device for provid- 
ing input data to the computer. Output device 26 may be 
a display device, modem, printer, sound device or other 
device for providing output data from the computer. 

To enable the computer system to communicate with 
other computers in a network, the computer system 
includes a network adaptor. Allowing the computer to 
transfer data through the network, the network adaptor 
serves as both an input and output device 24, 26 for the 
computer system. The network adapter is typically an 
expansion card coupled to an expansion bus 32 of the 
computer system 20. Alternatively, the network adaptor 
could be another type of peripheral device such as a 
PCMCIA (Personal Computer Memory Card Interna- 
tional Association) network adaptor. The type of network 
adaptor also varies depending on the network topology 
(i.e. a bus, ring, or star configuration), the data transfer 
medium (i.e. a coaxial cable, twisted pair, or fiber optic 
cables), and the vendor of the device. These network 
adapters are readily available and are well known in the 
computer industry. 

It should be understood that Fig. 1 is a block diagram 
illustrating the basic elements of a computer system; the 
figure is not intended to illustrate a specific architecture 
for a computer system 20. For example, no particular bus 
structure is shown because various bus structures 
known in the field of computer design may be used to 
interconnect the elements of the computer system in a 
number of ways, as desired. CPU 28 may be comprised 
of a discrete ALU 33, registers 34 and control unit 36 or 
may be a single device in which one or more of these 
parts of the CPU are integrated together, such as in a 
microprocessor. Moreover, the number and arrangement 
of the elements of the computer system may be varied 
from what is shown and described in ways known in the 
art. 

A computer network can include a variety of different 
computers and additional devices such as network print- 
ers and modems. In a client-server architecture, per- 
sonal computers can act as both clients and servers in 
the network. In addition, larger computers such as min- 
icomputers or mainframes can also act as either clients 
or servers. A personal computer can function as a con- 
troller of a disk array A disk array is a special kind of 
server that uses a large portion of its processing power 
to manage input/output (I/O) for a large collection of disk 
drives. A personal computer can also act as a commu- 
nication server, controlling access to a shared modem. 
A server typically performs such tasks as managing net- 
work traffic and storing common programs or data used 
by many on the network. With increases in computing 
power and storage, the distinction between a client and 
server becomes less important because most if not all 
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computers in a network can function as both a client and 
server. 

As outlined in the background section, some net- 
works treat servers as independent network resources. 
This presents a problem to users and application devel- s 
opers because of the requirement that authentication 
information be applied every time an application needs 
to access a network resource. Authentication informa- 
tion is the data used to gain access to a network resource 
and is used to provide security against unwanted access io 
to network resources. The authentication information 
usually includes a password and user identification (user 
ID), but can be of some other form. The invention solves 
the problems posed by the authentication process by 
providing a method and system for accessing independ- 75 
ent resources. 

Figure 2 is a block diagram of the architecture of a 
networking subsystem in which an embodiment of the 
invention is implemented. When loaded into memory of 
a client computer system, the networking subsystem 20 
enables application programs 50 (including an operating 
system shell program) to access one or more networks. 
The networking subsystem includes a multiple provider 
router 52. one or more network providers 62, 64, 66, a 
redirector 68. 70, 72 associated with each network pro- 25 
vider. a network transport 74, 76. 78 associated with 
each redirector, and a network adapter driver 80. 

The networking subsystem illustrated in Fig. 2 is 
merely one example of an architecture where the inven- 
tion may be implemented. This networking subsystem is 30 
an example of a networking subsystem that can be incor- 
porated into the Windows 95 operating system from 
Microsoft Corporation. It should be understood that the 
invention is not limited to this particular subsystem archi- 
tecture. 35 

The multiple provider router 52 provides a common 
network interface for applications 50. The multiple pro- 
vider router 52 is a dynamic link library (DLL) that 
includes code to support a network application program- 
ming interface (API) 82. The multiple provider router 52 40 
avoids duplication of code needed to support multiple 
networks by implementing common network functions in 
a single DLL. Since the multiple provider 52 is a DLL, it 
can be shared by application programs 50. including an 
operating system shell program. The multiple provider 45 
router 52 provides an interface to applications 50 that 
allows for seamless browsing of network resources into 
authenticated information such as network directories, 
printers and other network resources. From the perspec- 
tive of the application, the multiple provider router 52 pro- so 
vides consistent handling of authentication requirements 
across multiple networks. 

Applications perform network related functions 
using the networking API 82. The networking API 
includes functions to create and break a network con- 55 
nection, enumerate network resources, report errors, 
access a password cache for storing and prompt a user 
for authentication information. While the multiple pro- 
vider router initially processes all network APIs, it also 



may route some APIs to the appropriate network pro- 
vider module. The networking API 82 is set forth in more 
detail in the "Win32 Networking API Specification," 
attached as Appendix A. 

The networking subsystem shown in Fig. 2 can sup- 
port a number of different networks by including a 
number of network providers compatible with the service 
provider interface (SPI) 84. For a detailed specification 
of the SPI, see the "Chicago/Win32 Network Provider 
SPI Specification" attached as Appendix B. The SPI 84 
includes a series of functions implemented in the net- 
work providers 62, 64, 66 to support a network. To 
access functionality provided in a network provider, 
applications call functions in the networking API 82. The 
multiple provider router 52 then routes functions to the 
SPI 84 of the appropriate network provider 62, 64, 66. 
Features common to all networks are implemented once 
in the multiple provider router which reduces the code 
base of each network provider and insures common 
behavior between networks. Network specific functions 
are implemented in the network providers 62, 64, 66. 

Each network provider is a dynamic link library which 
implements the SPI. It should be noted that network pro- 
viders do not have to implement every function in the SPI. 
but rather can implement a subset of the functions. The 
SPI functions supported in a network provider include 
user identification, device redirection, shell interface, 
enumeration, authentication, and configuration func- 
tions. These SPI functions are set forth in more detail in 
Appendix A. 

The device redirection functions are the target of the 
connection functions supported in the multiple provider 
router. See Appendix B at 9-16. They form the associa- 
tion between a network resource and a network 
resource's name such as a drive letter or a device name 
for a printer. 

The shell interface functions help display the net- 
work layout and attached resources for the user. See 
Appendix B at 18-20. A specific function called the 
NPSearchDiatogQ function extends the shell browsing 
features by allowing a network provider to display its view 
of the associated network. 

The enumeration functions are used by the network 
provider to support for network browsing. See Appendix 
B at 20*28. 

The authentication functions enable the network 
provider to participate in network logon and logoff pro- 
cedures controlled by the multiple provider router 52. 

An advantage of the network providers 62, 64, 66 is 
that they share authentication information. This feature 
is useful, for example, to support browsing for resources 
among several networks. The network providers can 
share logon information including the user name and 
password used to access the local computer system 
where the network providers reside. Similarly, the net- 
work providers can share authentication information in a 
password cache, containing authentication information 
from previous connections to network resources. 
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Network software vendors can incorporate client 
support into this networking subsystem by developing a 
network provider compatible with the SPI 84. Figure 2 
provides an example of networking subsystem having 
three network providers 62, 64, 66, each supporting a 5 
separate network. In this embodiment, the support for 
providing access to independent server resources 
resides primarily in a network provider 62 called 
"NPNW.dll. As described in further detail below, the net- 
work provider, NPNW.dll 62, refers to a module for sup- 10 
porting a Novell NetWare Version 3 Network system. 
"NetWare 3" is the name of a version of network software 
product commercially available from Novell, Inc. The 
invention can also be applied in a variety of network sys- 
tems where network resources are treated as independ- 15 
ent resources. It should be understood that the invention 
is not limited to this implementation, but rather, extends 
to all networks where access to independent network 
resources poses a problem. In addition to the network 
provider, NPNW.dll, the networking subsystem can 2 o 
include additional network providers 64. 66 either from 
Microsoft Corporation or from other vendors. 

The network providers 62, 64, 66 transfer data to and 
from the networks that they correspond to using a redi- 
rector 68, 70, 72. In general, redirection is the process 25 
of writing to or reading from a file or device different than 
the one that would normally be the target or the source. 
In the network context, the redirector controls the reading 
and writing of data to a remote f ilesystem or device. The 
redirectors in this subsystem redirect the unique seman- 30 
tics of a particular remote file system. Since the redirec- 
tor is specifically written tor a particular network, the 
redirector is typically provided by a network vendor. For 
example, for NetWare 3 network software from Novell, 
Inc., Novell provides a redirector and publishes an appli- 35 
cation programming interface to allow others to interface 
with it. For other types of networks such as Windows for 
Work Groups from Microsoft Corporation, the networking 
subsystems includes a compatible redirector. 

The network transports 74. 76, 78 implement the 40 
device specific network transport protocols. The redirec- 
tor calls upon the transport for the actual delivery and 
receipt of network data. Each redirector can use a sep- 
arate transport. However, because the functions of the 
redirector and the transport are clearly separated in this 45 
networking subsystem, it is also possible to use more 
than one redirector for the same transport. Some exam- 
ples of commercially available transport modules include 
NETBEUI available from Microsoft Corporation and 
IPX/SPX available from Novell. A variety of different net- so 
work transports can be used, but they must be compat- 
ible with the corresponding redirector. 

The network driver interface specification (NDIS) 86 
is a vendor independent software specification that 
defines the interaction between any network transport 55 
and the underlying device driver. The NDIS 86 enables 
more than one transport 74, 76, 78 to use the same phys- 
ical network adaptor 80 as the associated device driver. 



The network adaptor 80 driver controls the physical 
network hardware such as the network adaptor card in 
the computer system 20. The network adaptor driver 80 
cooperates with the network transports to send and 
receive data packets through the network. As is well 
known, their are number of commercially available adap- 
tor drivers 80, and the particular version or type of driver 
is not critical to the invention. 

Having described the networking subsystem, it is 
now possible to describe a method for accessing inde- 
pendent network resources. Figure 3 illustrates the steps 
of accessing an independent network resource accord- 
ing to an embodiment of the invention. 

The process of accessing an independent network 
resource begins when an application or the shell 
requests access to a network resource. This occurs, for 
example, when browsing network resources or when an 
application seeks to connect to a specific network 
resource. First, the network provider determines whether 
a connection already exists (90). This step 90 is network 
specific, and therefore, is not necessarily required for 
each type of network. For a network provider that sup- 
ports a NetWare 3 network, the network provider 
(NPNW.dll) 62 sends a request to the server to determine 
whether the client is already authenticated, meaning that 
a connection has been established between the client 
and server. If the connection already exists, the network 
provider 62 does not need to provide authentication infor- 
mation and the process of accessing the resource ends. 

If a connection does not exist, the network provider 
62 then determines whether the network resource to be 
accessed is available (92). The term, "available." means 
that the network resource is accessible through the net- 
work interface supported by the underlying redirector. 
For instance in a NetWare 3 network, a network server 
is available if the server to be accessed is active, sup- 
ports the network core protocol (NCP), and is able to cre- 
ate a new connection. As to whether the server can 
create a new connection, some servers have a limit on 
the total number of connections they can support. As 
such, a server is "unavailable" if the number of connec- 
tions is at this limit. If a network resource is not available, 
the network reports an error identifying that the resource 
is not available (94). 

If the network resource is available, then the network 
provider attempts to access the server using logon infor- 
mation 96. The logon information includes the user name 
entered during master logon, and the password entered 
to log on to the local computer system. The logon infor- 
mation is stored in RAM, and more specifically, in the 
code space of the network provider 62. If the attempt to 
authenticate access to the server succeeds using the 
logon information (98), then the method of accessing the 
independent resource ends. 

The logon information described above is merely an 
example of the type of information used in one imple- 
mentation. Since different systems use different logon 
information, it should be understood that the logon infor- 
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mation can vary without departing from the scope of the 
invention. 

If the attempt to authenticate access to the server 
using logon information fails, then the network provider 
determines whether authentication information for the 
server is stored in a local password cache (100). The 
password cache is a data store for storing authentication 
information. The password cache stores authentication 
information for servers that have been accessed before. 
For example, rf a user accesses a directory on a remote 
server on a NetWare 3 network, authentication informa- 
tion for that server will be cached. The next time the user 
needs to access that particular server, the authentication 
information stored in the password cache can be applied 
to access the server. 

Figure 4 illustrates the structure of the password 
cache 101. The password cache structure 101 includes 
a portion for identifying a server name 102, a user ID 
(104) and a password 106. In this particular implemen- 
tation, the user name and password are located together 
in a string 108 separated by the null value, zero. It is not 
critical to the invention, however, whether the structure 
has separate fields for the user ID and password. The 
password cache 101 is maintained in main memory of 
the local computer system. At the user's option, the data 
in the password cache 101 can be written to secondary 
storage (e.g. the hard drive) of the local computer sys- 
tem. If additional security is desired, password caching 
can be disabled. 

For security purposes, the password cache 101 is 
encrypted using the system logon user name or ID and 
password. When a user successfully logs on at his/her 
local computer system, the password cache is made 
available for use by the network providers 62, 64, 66 and 
application programs 50. 

To determine whether the password cache 101 con- 
tains authentication information for the server to be 
accessed, the network provider searches the password 
cache 101 for the server name. If authentication informa- 
tion is stored for the server 116, the network provider 
uses the authentication information to connect to the 
server 118. 

Alternatively, if the password cache does not have 
authentication information for the server, then the net- 
work provider must prompt the user for authentication 
information 120. The network provider can call the 
authentication dialog function to obtain information from 
the user. This service is described in Appendix B begin- 
ning at page 45. 

In this manner, the networking subsystem provides 
access to independent network resources such that 
interaction with the user is minimized. The user only has 
to enter authentication information if both the logon data 
does not apply and the password cache does not include 
the necessary authentication data. A user can therefore 
browse for resources or request a connection to a remote 
printer, for example, without having to repeatedly enter 
authentication information. 



The networking subsystem described above simpli- 
fies access to independent network resources for appli- 
cations. An application, such as an operating system 
shell program, can use the AddConnection function to 

5 connect a server without specifying a specific device 
such as a printer or a drive letter corresponding to a file 
system entity. This enables the operating system to sup- 
port a browsing feature. While browsing, the shell pro- 
gram can establish a connection to a server without 

w specifying a device or file system entity, and the devices 
available on the server can be enumerated using the 
connection. The ability to create a connection to a server 
without specifying a device name can also simplify 
access to network resources for other applications. For 

is instance, the shell program can be used to set up a con- 
nection to a server, and then other applications can 
access the server without having to support the authen- 
tication functions required to establish a connection. 
In environments where security is critical, the proc- 

20 ess of accessing independent resources without user 
interaction can be disabled. To provide additional secu- 
rity, the user can be prompted for authentication informa- 
tion every time an independent network resource needs 
to be authenticated to establish a connection. In addition, 

25 the caching of authentication information can be disa- 
bled, so that use of authentication functions built into the 
networking subsystem cannot be used. By making the 
authentication functions optional, the administrator of the 
network make the network more secure if necessary. 

30 Though the invention is described above with refer- 
ence to a particular embodiment, it should be understood 
that many variations to the embodiment are possible 
without departing from the scope of the invention. For 
example, networking subsystem functionality could be 

35 implemented in a number of different network system 
architectures. It is preferable to implement common net- 
working functions in a shared DLL, but this is not 
required. It is also preferable to implement the network 
providers in a DLLs according to a common service pro- 

40 vider interface, but again, this is not required. 

The method according to the invention may also vary 
without departing from the scope of the invention. For 
example, the steps could be performed in a different 
order: the authentication data in the password cache 

45 could be applied first before applying logon data to 
access a network resource. It is preferable to minimize 
information stored in the password cache, but the type 
of data and duration of storage can vary. The structure 
and manner of encrypting the cache can vary as well. 

so Many other alternatives are possible. 

In view of the many possible embodiments to which 
the principles of our invention may be put. it is empha- 
sized that the detailed embodiments described herein 
are illustrative only and should not be taken as limiting 

55 the scope of our invention. Rather. I claim as my inven- 
tion all such embodiments as may come within the scope 
and spirit of the following claims and equivalents thereto. 
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Claims 

1 . A method for accessing independent resources in a 
computer network, the method comprising: 

storing logon data for a user when the user 5 
logs on to a local computer system in the computer 
network; 

storing authentication data when a user 
accesses an independent system resource; 

in response to a request to access an inde- 
pendent network resource, performing the steps of: 

attempting to access the independent net- 
work resource using the stored logon data; and 

attempting to access the independent net- 
work resource using the stored authentication data. 

2. The method of claim 1 wherein the authentication 
data includes a user identification and a password. 



10. A method for accessing independent resources in a 
computer network comprising: 

storing logon data for a user in main memory 
of a local computer system when the user logs on to 
the local computer system in the computer network; 

storing authentication data in a cache of the 
local computer system when a user accesses an 
independent system resource; 

in response to a request to access an inde- 
pendent network resource, performing the steps of: 

attempting to access the independent net- 
work resource using the stored logon data; 

attempting to access the independent net- 
work resource using the stored authentication data; 

if the attempting to access the independent 
network resource using the stored logon data and 
the stored authentication data both fail, then prompt- 
ing the user to enter authentication data. 
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3. The method of claim 1 wherein the authentication 
data is stored in a cache. 

4. The method of claim 3 wherein the cache resides in 
main memory of the local computer system. 

5. The method of claim 3 wherein the authentication 
data in the cache is encrypted using logon data. 

6. The method of claim 1 wherein the attempting to 
access the independent network resource using the 
stored authentication data is performed only if the 
attempting to access the network resource using the 
stored logon data fails in accessing the independent 
network resource. 

7. The method of claim 1 wherein the attempting to 
access the independent network resource using the 
stored logon data is performed only if the attempting 
to access the network resource using the stored 
authentication data fails in accessing the independ- 
ent network resource. 

8. The method of claim 1 wherein the request to access 
an independent network occurs during browsing for 
network resources; the browsing comprising: 

receiving a request from a user to display net- 
work resources available on one or more network 
servers; and 

establishing a connection with the one or 
more network servers, to determine available net- 
work resources. 

9. The method of claim 1 including the step of: 

prompting the user to enter authentication 
data only if the attempting to access the network 
resource using stored logon data and stored authen- 
tication data fails. 



20 11. The method of claim 10 wherein the attempting to 
access the independent network resource using the 
stored authentication data includes: 

searching the cache in local memory for a 
server name: 

25 if the server name is present in the cache, 

then reading the stored authentication data associ- 
ated with the server name in the cache and applying 
the stored authentication data to access the server 
associated with the server name. 

30 

12. The method of claim 10 wherein the stored authen- 
tication data includes a user identification and a 
password. 

35 13. The method of claim 1 0 wherein the stored authen- 
tication data in the cache is encrypted. 

14. The method of claim 13 wherein the stored authen- 
tication data in the cache is encrypted using logon 

40 data, and the cache in memory of a local computer 
system is accessible to user at the local computer 
system when logon data associated with the local 
computer system is entered in the local computer 
system. 

45 

15. A networking subsystem located in memory of a cli- 
ent computer system in a computer network, the net- 
working subsystem for accessing independent 
servers in the computer network, the network sub- 
so system comprising: 

a network provider for accessing an inde- 
pendent server coupled to the computer network, 
the network provider including a cache for storing 
authentication data, the network provider capable of 
55 accessing logon data stored in the client computer 
system, the network provider for applying logon data 
stored in the client computer and authentication data 
stored in the cache to access the independent 
server; 
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a multiple provider router in communication 
with an application program for receiving a request 
to access the independent server, and in communi- 
cation with the network provider for routing the 
request to access the independent server to the net- 5 
work provider; and 

a redirector for communicating with the inde- 
pendent network server. 

16. The networking subsystem of claim 1 5 wherein the 10 
network provider is a first network provider and fur- 
ther including a second network provider; the multi- 
ple provider router in communication with the first 
and second network provider for routing a request 

to access a server to both the first and second net- is 
work provider. 

1 7. The networking subsystem of claim 1 6 wherein the 
first and second network provider share logon data. 

20 

18. The networking subsystem of claim 16 wherein the 
first and second network provider share authentica- 
tion data in the cache. 

25 
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